Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a ruling that threatens to transform a law against computer break-ins into a mechanism for criminalizing password sharing and policing Internet use.

In an amicus brief filed with today, EFF urged the court to weigh in on a case in which an individual was charged with violating the Computer Fraud and Abuse Act (CFAA), a law intended to criminalize breaking into computers to access or alter data. Under the CFAA, it’s illegal to intentionally access a “protected computer”—which includes any computer connected to the Internet—“without authorization” or in excess of authorization. But the law doesn’t tell us what “without authorization” means.

Some courts have recognized that the CFAA must be interpreted narrowly to stay true to Congress’s intent of targeting crooks breaking into and stealing data from computers. These courts agreed that the CFAA mustn’t be used against, say, employees checking sports scores at work in violation of rules restricting Internet use at work to company business, or against people who shared their Facebook passwords, in violation of Facebook’s terms of service rules.

But other courts—including the U.S. Court of Appeals for the Ninth Circuit in its 2016 U.S. v. Nosal decision—have broadly interpreted the statute to cover using a computer in a way that violates corporate policies, preferences, and expectations. In the case, David Nosal, an ex-employee of the Korn/Ferry executive recruiting firm, was charged with violating the CFAA after other ex-employees acting on his behalf accessed Korn/Ferry’s proprietary database using legitimate credentials of a current company employee. The current employee knew of and authorized the use of her credentials, which was against Korn/Ferry’s computer policies. The Ninth Circuit found that in using the shared password, Nosal accessed the database “without authorization.” The court said that implicit in the definition of “authorization” is the proposition that authorization can come only from a computer owner—here, Korn/Ferry—not an employee with legitimate access credentials.

There is nothing in the CFAA, or even in the dictionary, that defines “authorization” to mean only permission from a computer owner. The Ninth Circuit imported a corporate ban on password sharing into its definition of “without authorization.”

“This ruling threatens to turn millions of ordinary computer users into criminals,” said EFF Staff Attorney Jamie Williams. “Innocuous conduct such as logging into a friend’s social media account or logging into a spouse’s bank account, with their permission but in violation of a corporate prohibition on password sharing, could result in a CFAA prosecution. This takes the CFAA far beyond the law’s original purpose of putting individuals who break into computers behind bars.”

“EFF has long advocated for reforming the CFAA, which overzealous prosecutors have exploited in troubling ways,” said Williams. “The Supreme Court can do its part by reviewing the Ninth Circuit’s troubling decision and giving “authorization” an appropriately narrow definition, specifically clarifying that password sharing is not—and was never intended to be—a crime.”

Related Updates

Social media has a competition problem, and its name is Facebook. Today, Facebook and its subsidiaries are over ten times more valuable than the next two largest social media companies outside China—Twitter and Snapchat—combined. It has cemented its dominance by buying out potential competitors before they’ve had a chance to...

Washington, D.C.—The Electronic Frontier Foundation (EFF) called on Facebook, Google, and other social media companies today to publicly report how many user posts they take down, provide users with detailed explanations about takedowns, and implement appeals policies to boost accountability. EFF, ACLU of Northern California, Center for Democracy & Technology...

Rep. Blake Farenthold (R-Texas) and Jared Polis (D-Colo.) just re-introduced their You Own Devices Act (YODA), a bill that aims to help you reclaim some of your ownership rights in the software-enabled devices you buy.
We first wrote about YODA when it was originally introduced back in 2014...

Popular websites and apps like Facebook, Amazon and Instagram aren't coming after your first born, but they do intentionally draft privacy policies, terms of service and end user license agreements (EULAs) that they know (or hope) no one will ever read. "There's a clear advantage to them to being unreadable,...

Rhode Island legislators recently decided not to advance a bill that would have made that state’s bad “anti-hacking” law even worse. This is good news. But the struggle continues against other vague and overbroad computer crime laws. As EFF previously explained, this Rhode Island bill was a threat...

One of the most crucial issues in the fight for digital freedom is the question of who will control the hardware that you have in your home, in your pocket, or in your own body. Have you ever been frustrated when a beloved feature was taken away in an update...

San Francisco—The Electronic Frontier Foundation (EFF) will urge a federal appeals court Wednesday to reject Facebook’s claims that it’s a crime to workaround an IP address block—an interpretation of the law that could criminalize routine online behavior. EFF Legal Fellow Jamie Williams will participate in oral argument in the case...

Update (mere hours later): Apple filed a reply to this brief that matches our position that the government has overreached. Here's the relevant part: The fact that Apple’s devices include software, and that such software comes with licensing requirements, does not change anything. See Reply at 13-15. Apple’s...

Senators Grassley and Leahy, the Chairman and Ranking Member of the Committee on the Judiciary, have published a letter to the Copyright Office asking it to analyze the impact of copyright law on “software-enabled devices” (such as cars, phones, drones, appliances, and many more products with embedded computer systems). This...